DOCSLIB.ORG

Features of Netcat

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Features of Netcat Features of Netcat Jeffrey Kurcz School of Computer Science University of Windsor [email protected] and sometimes the Operating System in which it Abstract is running on. This paper discusses the many uses that Netcat Once the Hacker or Penetration Tester has this information they can find vulnerabilities or use a can perform for many different tasks that need to well known exploit to gain access to the system be done on a network. Netcat is network tool that they want. Whether they exploit a vulnerable allows a user or administrator write or read data over the network. This can be done by using both FTP server or a vulnerable Web server doesn’t the Transmission Control Protocol (TCP) and matter as long as they can get access to the User Datagram Protocol (UDP) protocols. This machine. From there the hacker will use that backdoor to gain access whenever they want, or tool was rated #4 on sectools.org top 100 upload a Trojan or create another backdoor of Network Security Tools by insecure.org. You will their own for their own access so that another see why it is considered the Swiss-Army Knife of TCP/IP because of its high recognition and hacker cannot gain access from the same usefulness of the abilities it can perform. vulnerable program that they just used. Netcat allows the use for all of these, from port Keywords scanning, to banner grabbing to creating a Netcat, Local Area Network (LAN), Wide Area backdoor on a host machine for allowing shell Network (WAN), Remote Access, Port Scanning, access to the hacker to take over the computer. Banner Grabbing, Server-Client Networking This is probably why Netcat is noted as such a useful tool to many hackers, and a useful tool for network administrators troubleshooting or I. Introduction debugging their networks. As newer programs, applications, and systems are released for the world, they are becoming larger in size, scale and complexity. This issue II. History creates potential for many small bugs and Netcat is a simple UNIX utility with its last glitches in programs because they are so large stable build in 1996 by the creator named Hobbit. that a developer may miss key issues, or for There has been many other successors to Netcat testing purposes create a bug to be used then late such as Socat, Cyrptcat and ncat. The name for get to take it out when publishing. Since so Netcat comes from the UNIX tool cat which many vulnerabilities are appearing there are reads and writes files from an operating system, many tools to help a hacker or penetration tester where Netcat reads and writes data on a network assess and validate the security of a vulnerable or communication using the TCP or UDP protocols. invulnerable system. The purpose of Netcat is for network Netcat is one of these tools. It offers such a administrators to troubleshoot or debug issues diverse scale of features that it is capable of pertaining to their network either locally or taking hold of a system from the beginning, remotely, while it also has those uses Black hats starting with scanning and looking for open ports can use it for mischievous tasks. Netcat can be that services may be running on a system. With run as a simple standalone command line the next step of banner grabbing which is program or as backend for another program or connecting to this system on an open port and script. getting a response from the server on which services are running along with which version III. Features for the ports you can list an individual port, a range of ports such as 80-90, or multiple different ports such as 22, 80. 3.0 Netcat Syntax In the example below we scan socr.uwindsor.ca Here is the general syntax for Netcat: to see if ports 22 (SSH) and 80 (Web Server) are open. nc [options] hostname port[s] To make Netcat run as a server you must include the following two flag options: -l: this option sets Netcat to listen for incoming connections. -p: this option sets the port to listen on. Other flag options for client or server are: -h: help mode As you can see it returns the hostname, IP -d: run in background mode address of the hostname, the ports scanned as -e: inbound program to execute well as the protocol their typically used for as -z: zero-I/O mode [used for scanning ports] well as the status of the port, being open or -n: numeric IP address only closed. -u: run as UDP -r: randomize local ports 3.2 Banner Grabbing -w: timeouts for connects Banner Grabbing is a technique used in order to -v: verbose mode determine which services are running on a specified port by requesting a connection to the 3.1 Port Scanning server and the server returns basic information to let an application know which protocol to use to Port Scanning is a technique which is used to make a connection. scan a system to determine which ports a system has opened and closed. For the first 1024 ports To do a simple banner grab simply try to connect there are standard programs that typically run on to the server running the open port and send known ports. Such as port 80 is for Web servers, some information. For example to connect to a 21 for File Transfer Servers, 22 for secure shells, web server and see what is running you can type 110 for POP e-mail servers and the list continues. nc socr.uwindsor.ca 80 There are much better tools for port scanning such as Nmap which is a “network mapper” and Then once connected type: will identify all hosts running on a network within a specified IP range as well as many of HEAD / HTTP/1.1 the services running on the hosts and other information about the Operating System and the This will generate a simple request to a web versions of software running. Although Netcat server and return the web service running, the allows for very similar and basic activity once version of that service as well as any patches or you understand how to use Netcat it is just as add-ons. It will also return the host operating powerful as other tools. system it is running. To run a port scan using Netcat you can use the following command: nc –v –z hostname ports For the host you can use an ip address or a dns name, and netcat will perform a dns lookup. Also The following example shows the information displayed when trying to connect to a secure shell running on the same host. 3.4 File Transfer Since Netcat allows data to be transferred back and forth on the same connection, it doesn’t matter if it is plain text data or a file. They will both work the same way. The only difference is Many other port scanning and vulnerability how you start the server and data. You can use assessment tools also do a banner grab when the Input and Output flags on either the client or doing a scan and inform you which services are the server. Generally if you want to transfer a file running and which may have open vulnerabilities from the client to the server you will use input on that can be exploited. the client and select the filename to be transferred. While on the server if you know there’s a file being sent you will choose the 3.3 Basic Chat Interface output to be of the same filename or file type as Netcat also has the ability to run as either the the client is sending. client or as the server, allowing it to play both roles. If a user wanted to they could run Netcat The following image depicts a client sending as a server on one machine and connect the client somefile.txt as the input to the server in this case to it using the port that the server is running on. just using the default output method. The server Once the client is connected to the server it can will display what the client has sent. If the server then communicate by using its own specific had run with the option > someotherfile.txt the protocols if applied to an application. In our case content of the file being sent from the server we will just use it as a simple chat program. would be saved into that file as the output method. To run Netcat as a server type: nc –L –p port To run Netcat as a client and connect, type: nc hostname port The example below shows a server and client both running on the loopback interface of the same machine. Although this works the same way if the client and server are connecting remotely. In the image below the Server and Client are labeled, but the option flag –l or –L stand for listen, which will listen for connections, making it the server. 3.5 Creating a Backdoor Backdoors are extremely useful to allow for system you are not given output like in a remote access to a system because it opens up windows environment. By typing UNIX the ability to take control of the host you are commands we get a response and that is how we connected to. Once a hacker connects to a know we are successfully connected and it is a backdoor it is important for them to create a new UNIX system.
Load more

Recommended publications
  • Netcat and Trojans/Backdoors
    Netcat and Trojans/Backdoors ECE4883 – Internetwork Security 1 Agenda Overview • Netcat • Trojans/Backdoors ECE 4883 - Internetwork Security 2 Agenda Netcat • Netcat ! Overview ! Major Features ! Installation and Configuration ! Possible Uses • Netcat Defenses • Summary ECE 4883 - Internetwork Security 3 Netcat – TCP/IP Swiss Army Knife • Reads and Writes data across the network using TCP/UDP connections • Feature-rich network debugging and exploration tool • Part of the Red Hat Power Tools collection and comes standard on SuSE Linux, Debian Linux, NetBSD and OpenBSD distributions. • UNIX and Windows versions available at: http://www.atstake.com/research/tools/network_utilities/ ECE 4883 - Internetwork Security 4 Netcat • Designed to be a reliable “back-end” tool – to be used directly or easily driven by other programs/scripts • Very powerful in combination with scripting languages (eg. Perl) “If you were on a desert island, Netcat would be your tool of choice!” - Ed Skoudis ECE 4883 - Internetwork Security 5 Netcat – Major Features • Outbound or inbound connections • TCP or UDP, to or from any ports • Full DNS forward/reverse checking, with appropriate warnings • Ability to use any local source port • Ability to use any locally-configured network source address • Built-in port-scanning capabilities, with randomizer ECE 4883 - Internetwork Security 6 Netcat – Major Features (contd) • Built-in loose source-routing capability • Can read command line arguments from standard input • Slow-send mode, one line every N seconds • Hex dump of transmitted and received data • Optional ability to let another program service established connections • Optional telnet-options responder ECE 4883 - Internetwork Security 7 Netcat (called ‘nc’) • Can run in client/server mode • Default mode – client • Same executable for both modes • client mode nc [dest] [port_no_to_connect_to] • listen mode (-l option) nc –l –p [port_no_to_connect_to] ECE 4883 - Internetwork Security 8 Netcat – Client mode Computer with netcat in Client mode 1.
    [Show full text]
  • Netcat Starter
    www.allitebooks.com Instant Netcat Starter Learn to harness the power and versatility of Netcat, and understand why it remains an integral part of IT and Security Toolkits to this day K.C. Yerrid BIRMINGHAM - MUMBAI www.allitebooks.com Instant Netcat Starter Copyright © 2013 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: January 2013 Production Reference: 1170113 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-84951-996-0 www.packtpub.com www.allitebooks.com Credits Author Project Coordinators K.C. "K0nsp1racy" Yerrid Shraddha Bagadia Esha Thakker Reviewer Jonathan Craton Proofreader Kelly Hutchison IT Content and Commissioning Editor Graphics Grant Mizen Aditi Gajjar Commissioning Editor Production Coordinator Priyanka Shah Melwyn D'sa Technical Editor Cover Work Ameya Sawant Melwyn D'sa Copy Editor Cover Image Alfida Paiva Conidon Miranda www.allitebooks.com About the author K.C.
    [Show full text]
  • Singularityce User Guide Release 3.8
    SingularityCE User Guide Release 3.8 SingularityCE Project Contributors Aug 16, 2021 CONTENTS 1 Getting Started & Background Information3 1.1 Introduction to SingularityCE......................................3 1.2 Quick Start................................................5 1.3 Security in SingularityCE........................................ 15 2 Building Containers 19 2.1 Build a Container............................................. 19 2.2 Definition Files.............................................. 24 2.3 Build Environment............................................ 35 2.4 Support for Docker and OCI....................................... 39 2.5 Fakeroot feature............................................. 79 3 Signing & Encryption 83 3.1 Signing and Verifying Containers.................................... 83 3.2 Key commands.............................................. 88 3.3 Encrypted Containers.......................................... 90 4 Sharing & Online Services 95 4.1 Remote Endpoints............................................ 95 4.2 Cloud Library.............................................. 103 5 Advanced Usage 109 5.1 Bind Paths and Mounts.......................................... 109 5.2 Persistent Overlays............................................ 115 5.3 Running Services............................................. 118 5.4 Environment and Metadata........................................ 129 5.5 OCI Runtime Support.......................................... 140 5.6 Plugins.................................................
    [Show full text]
  • Netcat − Network Connections Made Easy
    Netcat − network connections made easy A lot of the shell scripting I do involves piping the output of one command into another, such as: $ cat /var/log/messages | awk '{print $4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15}' | sed −e 's/\[[0−9]*\]:/:/' | sort | uniq | less which shows me the system log file after removing the timestamps and [12345] pids and removing duplicates (1000 neatly ordered unique lines is a lot easier to scan than 6000 mixed together). The above technique works well when all the processing can be done on one machine. What happens if I want to somehow send this data to another machine right in the pipe? For example, instead of viewing it with less on this machine, I want to somehow send the output to my laptop so I can view it there. Ideally, the command would look something like: $ cat /var/log/messages | awk '{print $4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15}' | sed −e 's/\[[0−9]*\]:/:/' | sort | uniq | laptop That exact syntax won't work because the shell thinks it needs to hand off the data to a program called laptop − which doesn't exist. There's a way to do it, though. Enter Netcat Netcat was written 5 years ago to perform exactly this kind of magic − allowing the user to make network connections between machines without any programming. Let's look at some examples of how it works. Let's say that I'm having trouble with a web server that's not returning the content I want for some reason.
    [Show full text]
  • Steering Connections to Sockets with BPF Socket Lookup Hook
    Steering connections to sockets with BPF socket lookup hook Jakub Sitnicki, Cloudflare @jkbs0 @cloudflare October 28-29, 2020 Who am I? ● Software Engineer at Cloudflare Spectrum TCP/UDP reverse proxy, Linux kernel, ... ● Contributor to Linux kernel networking & BPF subsystems Goal Run a TCP echo service on ports 7, 77, and 777 … using one TCP listening socket. Fun? We will need… ❏ VM running Linux kernel 5.9+ ❏ bpftool 5.9+ ❏ libbpf headers ❏ kernel headers vm $ uname -r 5.9.1-36.vanilla.1.fc32.x86_64 vm $ bpftool version bpftool v5.9.1 Code and instructions at https://github.com/jsitnicki/ebpf-summit-2020 We will need… a TCP echo server $ sudo dnf install nmap-ncat $ nc -4kle /bin/cat 127.0.0.1 7777 & Netcat + /bin/cat [1] 1289 $ ss -4tlpn sport = 7777 State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 10 127.0.0.1:7777 0.0.0.0:* users:(("nc",pid=1289,fd=3)) $ nc -4 127.0.0.1 7777 hello⏎ Test it! hello ^D Check open ports on VM external IP vm $ ip -4 addr show eth0 check VM IP 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 inet 192.168.122.221/24 brd 192.168.122.255 scope global dynamic noprefixroute eth0 valid_lft 2563sec preferred_lft 2563sec host $ nmap -sT -p 1-1000 192.168.122.221 … Not shown: 999 closed ports scan first 1000 ports PORT STATE SERVICE 22/tcp open ssh 7, 77, 777 are closed Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds What is socket lookup? socket receive Application buffer socket Receive path for local delivery lookup Protocol filter INPUT Network raw mangle nat routing conntrack forward PREROUTING PREROUTING PREROUTING decision TC Ring alloc_skb XDP ingress Buffer Driver Wikipedia - Packet flow in Netfilter and General Networking Service dispatch with BPF socket lookup packet metadata BPF program lookup result struct bpf_sk_lookup { (1) 010 (4) __u32 family; 101 Ncat socket 010 __u32 protocol; __u32 remote_ip4; (2) is (3) pick __u32 remote_port; local port echo service __u32 local_ip4; open? socket __u32 local_port; /* ..
    [Show full text]
  • Week​ ​2:​ ​​ ​Networking​ ​Lab
    Week 2: Networking Lab ​ ​ ​ ​​ ​ ​ ​ Topics: I. Netcat II. Nmap III. Wireshark Setup 1. SSH Client ​ ​ If you completed this step in the previous lab, you can skip this step. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Once you are in the lab, you will need to get access to the Wi-Fi, and you will need a ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ SSH client installed on your laptop. The lab Wi-Fi password will be up on the board, so ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ you can use that to get access to the Wi-Fi. If you are on a Mac or have Linux installed, ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ a SSH client should already be installed. If your laptop is running Windows, though, you ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ will need to install putty (a windows SSH client). Its installer can be found at the below ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ URL: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Now that everything is set up, SSH into the lab1 server. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ On Mac/Linux, type the following into your terminal ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ssh [email protected] ​ ​ Substitute your username for “user1” and it should work out ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ On windows, start up putty, and enter the following into the “Host Name (or IP Address)” ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Field [email protected]
    [Show full text]
  • Mac OS X Server
    Mac OS X Server Version 10.4 Technology Overview August 2006 Technology Overview 2 Mac OS X Server Contents Page 3 Introduction Page 5 New in Version 10.4 Page 7 Operating System Fundamentals UNIX-Based Foundation 64-Bit Computing Advanced BSD Networking Architecture Robust Security Directory Integration High Availability Page 10 Integrated Management Tools Server Admin Workgroup Manager Page 14 Service Deployment and Administration Open Directory Server File and Print Services Mail Services Web Hosting Enterprise Applications Media Streaming iChat Server Software Update Server NetBoot and NetInstall Networking and VPN Distributed Computing Page 29 Product Details Page 31 Open Source Projects Page 35 Additional Resources Technology Overview 3 Mac OS X Server Introduction Mac OS X Server version 10.4 Tiger gives you everything you need to manage servers in a mixed-platform environment and to con gure, deploy, and manage powerful network services. Featuring the renowned Mac OS X interface, Mac OS X Server streamlines your management tasks with applications and utilities that are robust yet easy to use. Apple’s award-winning server software brings people and data together in innovative ways. Whether you want to empower users with instant messaging and blogging, gain greater control over email, reduce the cost and hassle of updating software, or build your own distributed supercomputer, Mac OS X Server v10.4 has the tools you need. The Universal release of Mac OS X Server runs on both Intel- and PowerPC-based The power and simplicity of Mac OS X Server are a re ection of Apple’s operating sys- Mac desktop and Xserve systems.
    [Show full text]
  • TCP/IP Attack Lab 1
    SEED Labs – TCP/IP Attack Lab 1 TCP/IP Attack Lab Copyright c 2006 - 2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award No. 1303306 and 1318814. This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License. A human-readable summary of (and not a substitute for) the license is the following: You are free to copy and redistribute the material in any medium or format. You must give appropriate credit. If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original. You may not use the material for commercial purposes. 1 Lab Overview The learning objective of this lab is for students to gain first-hand experience on vulnerabilities, as well as on attacks against these vulnerabilities. Wise people learn from mistakes. In security education, we study mistakes that lead to software vulnerabilities. Studying mistakes from the past not only help students understand why systems are vulnerable, why a seemly-benign mistake can turn into a disaster, and why many security mechanisms are needed. More importantly, it also helps students learn the common patterns of vulnerabilities, so they can avoid making similar mistakes in the future. Moreover, using vulnerabilities as case studies, students can learn the principles of secure design, secure programming, and security testing. The vulnerabilities in the TCP/IP protocols represent a special genre of vulnerabilities in protocol de- signs and implementations; they provide an invaluable lesson as to why security should be designed in from the beginning, rather than being added as an afterthought.
    [Show full text]
  • Cyber502x Computer Forensics
    CYBER502x Computer Forensics Unit 2: Linux/Unix Forensics Acquisition CYBER 502x Computer Forensics | Yin Pan Investigating Linux/Unix systems • Four basic forensics steps • Collect • Preserve • Analyze • Present (report) CYBER 502x Computer Forensics | Yin Pan Preparation • A tool box (CD or USB) containing trusted forensic tools • A powerful machine with forensic tools installed and clean-wiped hard drive to store acquired evidence. CYBER 502x Computer Forensics | Yin Pan Remember! • Always have your OWN tool sets ready !! • You are dealing with a compromised system • Run tools from your own USB or device • Save the output outside of the compromised system CYBER 502x Computer Forensics | Yin Pan Forensics tools in common • Ensure forensically-sound operations • Process data structure from the image bypassing kernel’s support • Work on both images and live systems CYBER 502x Computer Forensics | Yin Pan Basic imaging steps • Obtain volatile data (including RAM) –According to policy and the case nature • Acquire non-volatile data (image drives and removable media) CYBER 502x Computer Forensics | Yin Pan Acquire volatile information • System information • Memory usage • Running processes • Logged in users • Network connections • Network interface configuration (promiscuous mode?) • …. CYBER 502x Computer Forensics | Yin Pan Volatile Evidence • Most volatile Least volatile Nonvolatile • Memory • Swap space or gagefile • Network status and connections • Processes running • File opening • Hard drive media • Removable media (CD, Zip, USB,
    [Show full text]
  • Linux Shell Scripting Cookbook Second Edition
    Linux Shell Scripting Cookbook Second Edition Over 110 practical recipes to solve real-world shell problems, guaranteed to make you wonder how you ever lived without them Shantanu Tushar Sarath Lakshman BIRMINGHAM - MUMBAI Linux Shell Scripting Cookbook Second Edition Copyright © 2013 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: January 2011 Second edition: May 2013 Production Reference: 1140513 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78216-274-2 www.packtpub.com Cover Image by Parag Kadam ([email protected]) Credits Authors Project Coordinator Shantanu Tushar Shiksha Chaturvedi Sarath Lakshman Proofreader Reviewers Linda Morris Rajeshwari K. John C. Kennedy Indexer Hemangini Bari Anil Kumar Sudhendu Kumar Production Coordinator Aravind SV Shantanu Zagade Acquisition Editor Cover Work Kartikey Pandey Shantanu Zagade Lead Technical Editor Ankita Shashi Technical Editors Jalasha D'costa Amit Ramadas Lubna Shaikh About the Authors Shantanu Tushar is an advanced GNU/Linux user since his college days.
    [Show full text]
  • Research on UNIX Forensic Analysis
    International Conference on Intelligent Control and Computer Application (ICCA 2016) Research on UNIX Forensic Analysis Lianfu Yin Nahu College, Jiaxing University Jiaxing, Zhejiang 314033, China [email protected] Abstract—UNIX is one of the most mainstream operating systems, it has great practical significance to research the methodology of B. Initial response information preservation UNIX forensic analysis. This paper firstly introduces the method The initial response information can be saved in the to capture the volatile data from UNIX systems, then introduces following ways: the concrete steps and method of UNIX forensic analysis. 1) Save data on the local hard disk; Keywords- computer crime; computer forensics; UNIX 2) Save data in remote media such as floppy disks, USB forensics Analysis drives or tape drives; 3) Manually record information; Ⅰ. INTRODUCTION As UNIX is one of the most common mainstream operating 4) Use netcat (or cryptcat) command, and transfer the systems, it is quite important to analysis the forensic method of located data to the forensic analytical engine through the UNIX system. Before we do forensic analysis, we shall obtain network. forensic data first. Forensics data are divided into two main Try not to save the data on the local hard disk. When we do categories, one is volatile data, and the other is nonvolatile data. data recovery or forensic analysis, the data stored on the local Volatile data are those data which will all disappear when hard disk would overwrite the deleted data located in the computer shuts down. These data are usually in internal unallocated spaces, for these data may provide evidence while memory, mainly including information like the status of the investigating.
    [Show full text]
  • Lab 9: Analyze and Differentiate Types of Malware
    ® CompTIA Security+ Lab Series Lab 9: Analyze and Differentiate Types of Malware CompTIA Security+® Domain 3 - Threats and Vulnerabilities Objective 3.1: Analyze and differentiate among types of malware Document Version: 2013-08-02 Organization: Moraine Valley Community College Author: Jesse Varsalone Copyright © Center for Systems Security and Information Assurance (CSSIA), National Information Security, Geospatial Technologies Consortium (NISGTC) The original works of this document were funded by the National Science Foundation’s (NSF) Advanced Technological Education (ATE) program Department of Undergraduate Education (DUE) Award No. 0702872 and 1002746; Center for Systems Security and Information Assurance (CSSIA) at Moraine Valley Community College (MVCC). This work has been adapted by The Department of Labor (DOL) Trade Adjustment Assistance Community College and Career Training (TAACCCT) Grant No. TC-22525-11-60-A-48. The National Information Security, Geospatial Technologies Consortium (NISGTC) is authorized to create derivatives of identified elements modified from the original works. These elements are licensed under the Creative Commons Attributions 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. The Network Development Group (NDG) is given a perpetual worldwide waiver to distribute per US Law this lab and future derivatives of these works. Lab 9: Analyze and Differentiate
    [Show full text]